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DETAILED ACTION 

1 . This Office action is in response to the amendment filed on February 6, 2006. 

2. Claims 49-87 are pending. 

3. Claims 49-79 are amended. 

4. Claims 80-87 are new. 

5. Claims 1-48 are canceled. 

6. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 

Response to Amendment 

7. The objections to claims 73-75 are withdrawn as the amendment overcomes the 
objections. 

8. The 1 12/2 nd paragraph rejections to claims 49-69 are withdrawn as the 
amendment overcomes the 1 12/2 nd paragraph rejections. 

Response to Arguments 

9. Applicant's arguments that the prior art of record does not teach the limitations of 
the amended claims, is contingent on Applicant's allegation that the account number 
disclosed by Dustan is not a state identifier. In particular, Applicant states: 
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[t]he account number and password are validated to determine whether to permit client 
access to the network. See col. 17, Ins. 58-67. But, it should be appreciated that the 
account number and password are not used by the server to maintain state, i.e., to 
determine whether a particular communication is part of a common user session. 
Instead, the server generates a session ID for the purpose of maintaining state and 
provides that information back to the client. See Fig. 5, reference numbers 212, 216. 
(Remarks, pg. 14) 

10. In reply, Applicant's allegation does not describe the role of the account number 
in full as taught by Dustan. Dustan clearly specifies the use of the account number for 
the purpose of maintaining state: "As a result, the session id, account number, and the 
function request are provided to database server 22 from the client ... Database server 
compares the received session id with the session id stored in the user table associated 
with the user's account number ... if the session id is verified, the method proceeds ..." 
(col. 1 8:36-49) It is also clear from Dustan that the initial login where the client submits 
the account number and password constitutes an identifier submitted from the client to 
the network server in order to establish a client session with the network server; the 
network server uses the account number to identify the client. As such, the account 
number is an identifier that enables web applications to retain a record of a user's prior 
transactions and utilize that record to more effectively serve that user. This is 
consistent with Applicant's interpretation of "state" as disclosed in the Specification, pg. 
2, 3 rd paragraph. 
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1 1 . Applicant also argues that the Hunter reference does not provide sufficient 
disclosure to render claim 67 obvious. (Remarks, pg. 18) Examiner respectfully 
disagrees. Claim 67 recites the limitation "the apparatus of claim 66, further comprising 
a web-browser application, wherein said processor is further adapted to delete said 
state identifier from said memory when said web-browser application is closed." In the 
art, when a web-browser application is terminated, any session state associated with 
the web-browser application is similarly eliminated by virtue of the termination of the 
web-browser (the web-browser initiates and enables the session). Similarly, as Hunter 
discloses, the default time when a cookie is removed from a client's memory is when 
the web-browser application is closed. ("A negative value indicates the default, that the 
cookie should expire when the browser exits." See Office action mailed 10/12/05 and 
below) This is sufficient to anticipate the stated limitation. 

12. Hence, Applicant's arguments are not persuasive. 

Claim Rejections - 35 USC § 102 

13. Claim 80 is rejected under 35 USC 102(b) as being anticipated by Dustan et al. 
USPN 5,884,314. (hereinafter Dustan) 

14. As per claim 80 Dustan discloses a method for communicating between a client 
and a server, the server being in communication with a database, comprising: 

a. initiating a user session with the server by communicating from the client 
to the server an initial request message over a stateless network protocol, the 
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message further including a unique, client-generated state identifier, the server 
creating a record in the database associated with the user session with the state 
identifier contained therein (fig. 5, reference nos. 176, 178 and 212, and related 
text; the account number and password is used to "login" the user to maintain a 
user session-this login information enables state to be maintained between the 
user and server); 

b. conducting the user session in which the server provides at least one 
response to the initial request message, and in which any subsequent request 
messages communicated from the client to the server include the same state 
identifier, the server associating the initial request message and the subsequent 
request messages together as part of the user session by verifying 
correspondence with the state identifier contained in the database record; and 
ending the user session (fig. 6); 

c. ending the user session by discontinuing communication of further request 
messages from the client to the server and deleting the state identifier from the 
client, (by virtue of terminating the session between the client and server) 

Claim Rejections - 35 USC § 103 

15. Claims 49-52, 56-61 , 65, 66, 68-72 and 76-87 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Dustan et al USPN 5,884,312 (hereinafter Dustan) in 
view of MacDoran et al. USPN 5,757,916 (hereinafter MacDoran) and further in view of 
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Denning et al. "Location-Based Authentication: Grounding Cyberspace for Better 
Security." (hereinafter Denning) 

16. As per claim 49, Dustan discloses a method for maintaining state between a 
client and a server, the server being in communication with a database, comprising: 

d. generating a user ID that identifies the client for a login session with a 
server (fig. 5, reference no. 176 and related text; [account number and 
password]); 

e. transmitting the user ID from the client to the server in an initial 
communication with the server (fig. 5, reference no. 178 and related text); 

f. storing the user ID and a generated session ID in the database in 
association with a record of a first user session with the client (fig. 5, reference 
no. 212); 

g. transmitting session ID information to the server in a second 
communication with the server(fig. 6, reference no. 234 and related text); and 

h. determining whether the subsequent communication is part of the first 
user session by comparing the subsequently transmitted session ID with the 
initially generated state identifier stored in the database, and if there is a match 
then associating the second communication with the record of the first user 
session (fig. 6, reference no. 236, 238, 240 and 242, and related text). 

Dustan does not disclose generating a unique state identifier that contains information 
based on a location value of the client; transmitting the state identifier with/or in lieu of 
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the user ID in the initial communication with the server; and transmitting the state 
identifier in subsequent communications with the server. MacDoran discloses 
generating the user ID using geodetic values of the user to identify and authenticate the 
user. These values are derived from signals received using GPS to locate a moving 
user at a specific time (Abstract; col. 2:10-61). MacDoran further discloses the 
desirability of an initial authentication using geodetic location of the user and performing 
subsequent location-based authentication of the remote user. (2:48-54) Moreover, 
MacDoran discloses one of the advantages of using geodetic values is that it makes 
"spoofing" of the host device very difficult (1 :7-2:7). To further establish a basis for 
motivation to combine the teachings of Dustan and MacDoran, the disclosure of 
Denning teaches "[authentication through geodetic location has many benefits[; i]t can 
be performed continuously so that a connection cannot be hijacked ... location based 
authentication [is] a good technique to use in conjunction with single sign-on" 
(username and password), and further discloses "[t]he use of geodetic location can 
supplement or complement other methods of authentication." (pg. 13, 2 nd and 5 th 
paragraphs) Therefore, it would be obvious to one ordinary skill in the art at the time the 
invention was made to generate a unique state identifier that contains information based 
on the client location at a specific time, and transmitting the state identifier from the 
client in the initial communication with the server; and transmitting the state identifier in 
subsequent communications with the server; wherein the subsequent communication is 
matched to the initial communication when the initially transmitted state identifier 
matches the subsequently transmitted state identifier. One would be motivated to do so 
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since it enhances the prevention of access to the sensitive information by unauthorized 
users and prevents the communication from being hijacked (MacDoran and Denning, 
ibid). The aforementioned cover the limitations of claim 49. 

17. As per claim 50, the rejection of claim 49 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the state 
identifier based on a location value that corresponds to the location of the client 
(MacDoran, col. 2:35-40). 

18. As per claim 51 , the rejection of claim 49 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the state 
identifier based on a location value that includes a latitude and longitude dimension 
(MacDoran, col. 2:13-14). 

19. As per claim 52, the rejection of claim 51 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the state 
identifier based on a location value that further includes an altitude dimension 
(MacDoran, col. 2:13-14). 

20. As per claim 56, the rejection of claim 49 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the method further comprising the step of deriving an 
anonymous user ID from a state identifier (Dustan, col. 9:4-7; 18:14-22; 19:53-56). 
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21 . As per claim 57, the rejection of claim 56 under 35 U.S.C. 1 03(a) is incorporated 
herein, (supra) In addition, the deriving step further comprises mathematically 
encoding a state identifier into the anonymous user ID (Dustan, col. 9:4-7; 18:14-22; 
19:53-56). 

22. As per claims 58-61 and 65, they are claims corresponding to claims 49-52, 56 
and 57, and they do not teach or define above the information claimed in claims 49-52, 
56 and 57. Therefore, claims 58-61 and 65 are rejected as being unpatentable over 
Dustan in view of MacDoran and Denning for the same reasons set forth in the 
rejections of claims 49-52, 56 and 57. 

23. As per claim 66, Dustan discloses an apparatus for facilitating interaction 
between a user and a web application operating on a remote server, comprising: 

i. a memory (fig. 1 ; reference no. 24); and 

j. a processor electrically connected to the memory (fig. 1 , reference no. 24) 
and adapted to: 

i. transmit a user ID, in association with a first user session between 
the user and the web application, wherein the server generates, then 
stores a session id based on the user ID and transmits the session id to 
the user (fig. 5, reference nos. 176 and 178 and related text); 
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ii. store the session ID in the memory (fig. 5, reference no. 216 and 
related text; col. 10:40-44); 

iii. transmit a request to the server and include the session ID in the 
request if the request is part of the first user session (fig. 6, reference no. 
234 and related text); and 

iv. alternatively require submission of a new user ID and include the 
new user ID in the request if the request is part of a new user session (fig. 
5, reference no. 174; fig. 6, reference no. 240 and related text). 

Dustan does not disclose generating a unique state identifier that contains information 
based on a location value of the client; transmitting the state identifier with/or in lieu of 
the user ID in the initial communication with the server; transmitting the state identifier in 
subsequent communications with the server; and alternatively generate a new state 
identifier and include the new state identifier in the request if the request is part of the 
new user session. MacDoran discloses generating the user ID using geodetic values of 
the user to identify and authenticate the user. These values are derived from signals 
received using GPS to locate a moving user at a specific time (Abstract; col. 2:10-61 ). 
MacDoran further discloses the desirability of an initial authentication using geodetic 
location of the user and performing subsequent location-based authentication of the 
remote user. (2:48-54) Moreover, MacDoran discloses one of the advantages of using 
geodetic values is that it makes "spoofing" of the host device very difficult (1:7-2:7). To 
further establish a basis for motivation to combine the teachings of Dustan and 
MacDoran, the disclosure of Denning teaches "[authentication through geodetic 
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location has many benefits[; i]t can be performed continuously so that a connection 
cannot be hijacked ... location based authentication [is] a good technique to use in 
conjunction with single sign-on" (username and password), and further discloses "[t]he 
use of geodetic location can supplement or complement other methods of 
authentication." (pg. 13, 2 nd and 5 th paragraphs) Therefore, it would be obvious to one 
ordinary skill in the art at the time the invention was made to generate a unique state 
identifier that contains information based on the client location at a specific time, and 
transmitting the state identifier from the client in the initial communication with the 
server; and transmitting the state identifier in subsequent communications with the 
server; wherein the subsequent communication is matched to the initial communication 
when the initially transmitted state identifier matches the subsequently transmitted state 
identifier; and alternatively generate a new state identifier and include the new state 
identifier in the request if the request is part of the new user session. One would be 
motivated to do so since it enhances the prevention of access to the sensitive 
information by unauthorized users and prevents the communication from being hijacked 
(MacDoran and Denning, ibid). The aforementioned cover the limitations of claim 66. 

24. As per claim 68, the rejection of claim 66 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the processor is further adapted to store the new state 
identifier in the memory if the request is part of a new user session (Dustan, fig. 5, 
reference no. 216 and related text). 
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25. As per claim 69, the rejection of claim 68 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the processor is further adapted to replace the state 
identifier in the memory with the new state identifier if the request is part of a new user 
session (Dustan, fig. 5, reference no. 216; fig. 6, reference no. 240). 

26. As per claim 70, Dustan discloses a method for communicating between a client 
and a server, comprising: 

k. generating a state ID (fig. 5, reference no. 212 and related text); 

I. incorporating the state ID into a communication (fig. 6, reference nos. 232 

and 234, and related text); 

m. sending the communication to the server (fig. 6, reference no. 232 and 
related text); 

n. comparing the state ID to information stored in a database, the database 
being in communication with and accessible by the server (fig. 6, reference no. 
236 and related text); 

o. identifying the communication as part of a previous session if there is 
coincidence between the state ID and information stored in the database (fig. 6, 
reference no. 238 and 242, and related text); and 

p. identifying the communication as part of a new session if there is no 
coincidence between the state ID and information stored in the database (fig. 6, 
reference no. 238 and 240, and related text). 
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Dustan does not disclose generating the ID based on the location of the client. 
MacDoran discloses generating the user ID using geodetic values of the user to identify 
and authenticate the user. These values are derived from signals received using GPS 
to locate a moving user at a specific time (Abstract; col. 2:10-61). MacDoran further 
discloses the desirability of an initial authentication using geodetic location of the user 
and performing subsequent location-based authentication of the remote user. (2:48-54) 
Moreover, MacDoran discloses one of the advantages of using geodetic values is that it 
makes "spoofing" of the host device very difficult (1 :7-2:7). To further establish a basis 
for motivation to combine the teachings of Dustan and MacDoran, the disclosure of 
Denning teaches "[authentication through geodetic location has many benefits[; i]t can 
be performed continuously so that a connection cannot be hijacked ... location based 
authentication [is] a good technique to use in conjunction with single sign-on" 
(username and password), and further discloses "[t]he use of geodetic location can 
supplement or complement other methods of authentication." (pg. 13, 2 nd and 5 th 
paragraphs) Therefore, it would be obvious to one ordinary skill in the art at the time the 
invention was made to generate the state ID based on the location of the client. One 
would be motivated to do so since it enhances the prevention of access to the sensitive 
information by unauthorized users and prevents the communication from being hijacked 
(MacDoran and Denning, ibid). The aforementioned cover the limitations of claim 70. 

27. As per claim 71, the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the generating step further comprises generating the user 
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state ID based on a location value that includes a latitude and longitude dimension 
(MacDoran, col. 2:13-14). 

28. As per claim 72, the rejection of claim 71 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the step of generating a user ID further comprises 
generating the state ID based on a location value that further includes an altitude 
dimension (MacDoran, col. 2:13-14). 

29. As per claim 76, the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the step of generating a state ID further comprises 
generating the state ID from location data acquired from a GPS receiver (MacDoran, fig. 
1 , reference no. 103 and related text). 

30. As per claim 77, the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, the method further comprises deleting the state ID upon 
completion of the previous session (Dustan, fig. 7, reference no. 300 and related text). 

31. As per claim 78, the rejection of claim 70 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, Dustan discloses logging user activity in a log table 
including the data and time of user logon and log off, and all of the individual request 
made by a user during a session (col. 13:10-28). Information identifying these events to 
a single user requires logging a user identifier. The state ID is the obvious choice since 
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it uniquely identifies the user and the communication. Therefore, it would be obvious to 
one of ordinary skill in the art at the time the invention was made to maintain at least a 
portion of the state identifier upon completion of the previous session. One would be 
motivated to do so since this enables logged actions to be traced to a specific user in an 
audit report. 

32. As per claim 79, the rejection of claim 70 under 35 U.S.C. 1 03(a) is incorporated 
herein, (supra) In addition, the step of incorporating the state ID into a communication 
further comprising incorporating the state ID into a cookie file and incorporating the 
cookie file into the communication (Dustan, col. 10:40-44). 

33. As per claims 80-83 and 87, they are claims corresponding to claims 49-52, 56 
and 57, and they do not teach or define above the information claimed in claims 49-52, 
56 and 57. Therefore, claims 80-83 and 87 are rejected as being unpatentable over 
Dustan in view of MacDoran and Denning for the same reasons set forth in the 
rejections of claims 49-52, 56 and 57. 

34. Claims 53-55, 62-64 and 73-75 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Dustan in view of MacDoran and Denning, and further in view of 
Fraker et al. USPN 5,919,239 (hereinafter Fraker). 
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35. As per claims 53 and 54, the rejection of claim 49 under 35 ILS.C. 103(a) is 
incorporated herein, (supra) Although Dustan does not expressly disclose generating 
the state ID based on a temporal value that corresponds to the creation of a state ID, 
the generation of an state ID based on the geographic location of the user as taught by 
MacDoran is derived by the location of a user at a specific time. Moreover, this idea of 
associating a time value with the location values is also taught by Fraker, wherein the 
time of the position data is gathered along with the position data and stored with the 
position data (fig. 5, reference nos. 310 and 312, and related text). Because the time of 
deriving the geographic location is critical to identify a user's location, it would be 
obvious to one of ordinary skill in the art at the time the invention was made for the state 
ID to be based on a temporal value corresponding to the creation of the state ID; a 
temporal value identifies when the location of the user was determined for proper 
authentication of the user. The aforementioned cover the limitations of claims 53 and 
54. 

36. As per claim 55, the rejections of claim 53 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) In addition, having the temporal value correspond to the invocation of 
an Internet browser session is an obvious enhancement since the state ID is needed . 
only when an Internet browser session is established (Dustan, fig. 5, reference no. 176 
and fig. 6, reference no. 234). It would be obvious to one of ordinary skill in the art at 
the time the invention was made for the temporal value to correspond to the invocation 
of an Internet browser session, since the state ID is utilized when a user accesses 
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information from the start of a browser session (Dustan, col. 7:53-62). The 
aforementioned cover the limitations of claim 55. 

37. As per claims 62-64, they are claims corresponding to claims 53-55 and 60, and 
they do not teach or define above the information claimed in claims 53-55 and 60. 
Therefore, claims 62-64 are rejected as being unpatentable over Dustan in view of 
MacDoran, Denning and Fraker for the same reasons set forth in the rejections of 
claims 53-55 and 60. 

38. As per claims 73-75, they are claims corresponding to claims 53-55 and 70, and 
they do not teach or define above the information claimed in claims 53-55 and 70. 
Therefore, claims 73-75 are rejected as being unpatentable over Dustan in view of 
MacDoran, Denning and Fraker for the same reasons set forth in the rejections of 
claims 53-55 and 70. 

39. As per claims 84-86, they are claims corresponding to claims 53-55, 70 and 80, 
and they do not teach or define above the information claimed in claims 53-55, 70 and 
80. Therefore, claims 84-86 are rejected as being unpatentable over Dustan in view of 
MacDoran, Denning and Fraker for the same reasons set forth in the rejections of 
claims 53-55, 70 and 80. 
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40. Claim 67 is rejected under 35 U.S.C. 103(a) as being unpatentable over Dustan 
in view of MacDoran and Denning, and further in view of Hunter, JAVA Servlet 
Progamming, Chapter 7: Session Tracking (hereinafter Hunter). 

41 . As per claim 67, the rejection of claim 66 under 35 U.S.C. 103(a) is incorporated 
herein, (supra) Dustan does not expressly teach deleting the state ID from the memory 
when the web-browser application is closed. However, this action is a notoriously well- 
known default function of a web browser. This step prevents information in a cookie 
stored in a user's browser from persisting after the web-browser application is closed. 
This ensures that information only relevant for the duration of a given operation of a 
browser should persist during this time period. For example, Hunter discloses the JAVA 
function call that removes a cookie once the browser exits (pg. 204, "public void 
Cookie.setMaxAge(int expiry)," "A negative value indicates the default, that the cookie 
should expire when the browser exits."). Therefore, it would be obvious to one of 
ordinary skill in the art at the time the invention was made to delete the state ID from the 
memory when the web-browser application is closed. One would be motivated to do so 
as this is the default modus operandi for a web browser. The aforementioned cover the 
limitations of claim 67. 

Conclusion 

42. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
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§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Communications Inquiry 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jung W. Kim whose telephone number is 571-272-3804. 
The examiner can normally be reached on M-F 9:00-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 




Jung W Kim 
Examiner 
Art Unit 21 32 



March 8, 2006 




GILBERTO BARRON J(k 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



